Malware Analysis Report

2024-10-10 10:01

Sample ID 240519-tp9hgafa2w
Target Solara_Updater.exe
SHA256 4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
Tags
umbral xworm execution persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf

Threat Level: Known bad

The file Solara_Updater.exe was found to be: Known bad.

Malicious Activity Summary

umbral xworm execution persistence rat stealer trojan

Process spawned unexpected child process

Detect Umbral payload

Detect Xworm Payload

Xworm

Modifies WinLogon for persistence

Umbral

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Modifies system certificate store

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 16:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 16:15

Reported

2024-05-19 16:17

Platform

win7-20240215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\lsm.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\hostNet\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\hostNet\\XClient.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\hostNet\\XClient.exe\", \"C:\\Users\\Default\\Start Menu\\lsass.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\hostNet\\XClient.exe\", \"C:\\Users\\Default\\Start Menu\\lsass.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\lsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Start Menu\\lsass.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "\"C:\\hostNet\\XClient.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Migration\\WTR\\Idle.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\hostNet\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\hostNet\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Common Files\\lsm.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "\"C:\\hostNet\\XClient.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Start Menu\\lsass.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Common Files\\lsm.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Migration\\WTR\\Idle.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC5E80A13DCBAA417DB31DBAE6E9987E4.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\oin92z.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\101b941d020240 C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Program Files (x86)\Common Files\lsm.exe C:\hostNet\bridgeblockportComBroker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Migration\WTR\Idle.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Windows\Migration\WTR\6ccacd8608530f C:\hostNet\bridgeblockportComBroker.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\hostNet\bridgeblockportComBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\hostNet\bridgeblockportComBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\hostNet\bridgeblockportComBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\hostNet\bridgeblockportComBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\hostNet\bridgeblockportComBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\hostNet\bridgeblockportComBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\hostNet\bridgeblockportComBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\hostNet\bridgeblockportComBroker.exe N/A
Token: SeDebugPrivilege N/A C:\hostNet\bridgeblockportComBroker.exe N/A
Token: SeDebugPrivilege N/A C:\hostNet\bridgeblockportComBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\hostNet\bridgeblockportComBroker.exe N/A
Token: SeDebugPrivilege N/A C:\hostNet\bridgeblockportComBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1644 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1644 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1644 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1644 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1644 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1644 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1644 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1644 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1644 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2608 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2608 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2608 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2608 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2652 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2652 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2652 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2652 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2652 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2652 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2652 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2652 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2652 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2652 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2296 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2296 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2296 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2296 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1476 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1476 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1476 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1476 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1476 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1476 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1476 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1476 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1476 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1476 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1748 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1748 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1748 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1748 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2372 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2372 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2372 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2372 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2372 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2372 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2372 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2372 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2372 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2372 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 888 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 888 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 888 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 888 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1284 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1284 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1284 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1284 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1284 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1284 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1284 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1284 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\lsm.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fhon3r4u\fhon3r4u.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8739.tmp" "c:\Windows\System32\CSC5E80A13DCBAA417DB31DBAE6E9987E4.TMP"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /f

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\hostNet\wscript.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\hostNet\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\hostNet\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 8 /tr "'C:\hostNet\XClient.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "XClient" /sc ONLOGON /tr "'C:\hostNet\XClient.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 10 /tr "'C:\hostNet\XClient.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Start Menu\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 11 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 7 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x2a6TzyCrT.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Program Files (x86)\Common Files\lsm.exe

"C:\Program Files (x86)\Common Files\lsm.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\taskeng.exe

taskeng.exe {665B4307-A17D-413A-974F-4A5B87DD1B11} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 ip-api.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/1644-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

memory/1644-1-0x00000000000D0000-0x00000000002B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Loader.exe

MD5 8f77f8b13b914f358059e3f7b9ddab70
SHA1 d406a28486b4dd881c454e526e149b98c0ec8462
SHA256 c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
SHA512 b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

memory/2900-7-0x0000000001050000-0x000000000107A000-memory.dmp

memory/1644-13-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

memory/2900-14-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sol.exe

MD5 25daefc71be60b76cb49fc81424d768d
SHA1 48be475dd36b433d62d4f7fed9b4d81a90122dee
SHA256 1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a
SHA512 e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

memory/1644-15-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

C:\hostNet\rlqSVEj.vbe

MD5 92408a105526970fa12ef23225de61ae
SHA1 bf70e8e671c10bf85771b2b8dd4549766cf79582
SHA256 b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10
SHA512 56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

memory/2900-95-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat

MD5 02d21af8c5d6e8e0240a01325bcc4154
SHA1 ce58641040b6fe35d465a8a6932c277c7ff37ee5
SHA256 31498b70dce38481c709a35f22dbab0bde2be880abe88d6c90b7a96bf9f070b7
SHA512 758201561db3058e8d6d18c9a838fd49aa612fe0ef544479cc5776e4618ee4e90245b41b1bdb90257298c27fb6ee2589a262f8143816fa091be88a1ca977f7e8

\hostNet\bridgeblockportComBroker.exe

MD5 8ccc428a5a6f6139dc191d332f3de08b
SHA1 ae550a8fb67deeb1350020aa3fe8b0339db6bc71
SHA256 801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749
SHA512 1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

memory/1236-108-0x00000000003B0000-0x000000000058E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XClient.exe

MD5 28ff989c1d462f567aabb9c5ba76456b
SHA1 24be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256 a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA512 2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

memory/808-116-0x00000000000A0000-0x00000000000B6000-memory.dmp

memory/2900-120-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

MD5 ff8f5c2670894f74456e534b34d6a8fe
SHA1 e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256 d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512 a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

memory/816-121-0x0000000000E10000-0x0000000000E50000-memory.dmp

memory/1236-123-0x00000000005F0000-0x00000000005FE000-memory.dmp

memory/1236-125-0x0000000001FD0000-0x0000000001FEC000-memory.dmp

memory/1236-130-0x0000000001FF0000-0x0000000002008000-memory.dmp

memory/1236-135-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

memory/1236-137-0x0000000001FC0000-0x0000000001FCC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fhon3r4u\fhon3r4u.cmdline

MD5 bacee2dbaf7ab553f935637cdc1e1022
SHA1 92d605c838262c947e1177cbbf6f86580c14402a
SHA256 cdc51ae32a08b5e890a727db5083f0d40b7446fb0814cb9f25ad1bf1aa81a7f7
SHA512 c513fccfea66a0e621cd36042db3b95bac04c0dde16d50559fbce5be704f8e32417157d3c2d6aafb3130f951a541c13a6ebfc9271a61faa8bad6fda5871480e8

\??\c:\Users\Admin\AppData\Local\Temp\fhon3r4u\fhon3r4u.0.cs

MD5 9eb98e1ff08bb0d35672c6c7f427b1a0
SHA1 d2819389b2baa6778be0ac15d5f2bf8d7933249e
SHA256 2d1e5b23081821620b19ea68deaa204d542f82bc1742e898db108aec060a196c
SHA512 4d8491c9694c8fb7c9f6fb3bfa6a5a8f1d6c7315ad12d1bbc5176b2bb3ffa966953f824e42d525be6da26580cc8d768b9b6b24ada30a2abc9267a8d6ddf4200f

C:\Users\Admin\AppData\Local\Temp\RES8739.tmp

MD5 48b3774e5d1e92a1bb4f5145357891ba
SHA1 218e2a8d9c5e923226fc85a782f1112d24a160b7
SHA256 668d52d05b5016b1b57f97444723007f5ec475f84788ecaa73bb172dd9d14c2d
SHA512 98ecd60955dc8df9e4a0c4dad55e307b11993b3e2fb7583250c0768250ac1306872908900d16cc93018f66cf87469d11cc1cd64fc873883e403c89e7c89da2a0

\??\c:\Windows\System32\CSC5E80A13DCBAA417DB31DBAE6E9987E4.TMP

MD5 1c0f7844f7e250162f11df610012cc1f
SHA1 2ee0b2ac51be783b0d196868edc6a1fe7a0af068
SHA256 988d255e5988f6b4de58f1eb852279c5974974d18d47af4dccb89cacff4cc020
SHA512 3b323f3a51f44e5dc73f7f54cecb39de91fdb6ea64965fb2e84764297e2856e86c9751c71bb5d549f322547c9b383a13f16775d32e8c9333a66a11739d5e3f6d

memory/2616-188-0x000000001B5B0000-0x000000001B892000-memory.dmp

memory/2616-189-0x0000000001D90000-0x0000000001D98000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9KOHAKBIGXXD3RBKKSS6.temp

MD5 55380d8be8316a9dcbd2ef12cb3a297b
SHA1 6f25cd629b2a08689be421074eca1c8beb72f0c9
SHA256 1c5aa4e6c037fe488101e32c61b55a68b238fb0e2a8018b6cbc987ed52534b53
SHA512 aafd1a664b328a2520605dce96169710e5942981210f4e47c67bca7dc97cd0576f5ba90fe6c50a75377da30f799c0202516cc578d1bcc6a81b758c55bb2900aa

memory/2168-194-0x000000001B540000-0x000000001B822000-memory.dmp

memory/2168-195-0x00000000022C0000-0x00000000022C8000-memory.dmp

memory/2192-216-0x00000000013D0000-0x00000000015AE000-memory.dmp

memory/752-234-0x0000000001300000-0x0000000001316000-memory.dmp

memory/1648-250-0x0000000000870000-0x00000000008B0000-memory.dmp

memory/3024-253-0x0000000001230000-0x000000000125A000-memory.dmp

memory/3040-299-0x0000000000160000-0x00000000001A0000-memory.dmp

memory/2632-323-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

memory/1664-336-0x0000000000C10000-0x0000000000C50000-memory.dmp

memory/2144-384-0x0000000000DB0000-0x0000000000DF0000-memory.dmp

memory/1868-432-0x00000000011F0000-0x0000000001230000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 16:15

Reported

2024-05-19 16:17

Platform

win10v2004-20240226-en

Max time kernel

68s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2428 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2428 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2428 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2428 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2428 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2428 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2376 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2376 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2376 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2376 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2376 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2376 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2376 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1992 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1992 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1992 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1992 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1992 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1992 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1992 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 788 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 788 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 788 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 788 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 788 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 788 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 788 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 3368 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 3368 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 3368 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 3368 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 3368 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 3368 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 3368 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 4236 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 4236 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 4236 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 4236 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 5080 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 5080 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 5080 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 5080 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 5080 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 5080 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 5080 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 4148 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4148 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4148 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4148 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4148 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4148 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 4148 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 3096 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 3096 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 3096 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 3096 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 2380 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 2380 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 1868 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1868 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 3844 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1868 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oiosxfja\oiosxfja.cmdline"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE9F.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C6F892BA6F049C0BB1C42B55371E24.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xcbzmeex\xcbzmeex.cmdline"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DB.tmp" "c:\Users\Admin\AppData\Roaming\CSC2DF3E632D8534E5A84A309B7CDD374.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\trvbkygg\trvbkygg.cmdline"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES371.tmp" "c:\Windows\System32\CSCA9863F3A1604EA78B4591A2E1E2988D.TMP"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\MoSetup\sihost.exe'" /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Logs\MoSetup\sihost.exe'" /rl HIGHEST /f

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\MoSetup\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\hostNet\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\hostNet\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\hostNet\System.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\hostNet\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\hostNet\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\hostNet\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 5 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 10 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H8S9Oa3LSw.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet\bridgeblockportComBroker.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Roaming\svhost.exe.exe

"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 95.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2428-0-0x00007FFE6DE93000-0x00007FFE6DE95000-memory.dmp

memory/2428-1-0x0000000000A10000-0x0000000000BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Loader.exe

MD5 8f77f8b13b914f358059e3f7b9ddab70
SHA1 d406a28486b4dd881c454e526e149b98c0ec8462
SHA256 c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
SHA512 b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

memory/2428-10-0x00007FFE6DE90000-0x00007FFE6E951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sol.exe

MD5 25daefc71be60b76cb49fc81424d768d
SHA1 48be475dd36b433d62d4f7fed9b4d81a90122dee
SHA256 1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a
SHA512 e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

memory/4236-19-0x0000000000570000-0x000000000059A000-memory.dmp

memory/4236-20-0x00007FFE6DE90000-0x00007FFE6E951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara_Updater.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/2376-26-0x00007FFE6DE90000-0x00007FFE6E951000-memory.dmp

memory/2428-25-0x00007FFE6DE90000-0x00007FFE6E951000-memory.dmp

memory/2376-30-0x00007FFE6DE90000-0x00007FFE6E951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XClient.exe

MD5 28ff989c1d462f567aabb9c5ba76456b
SHA1 24be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256 a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA512 2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

memory/3844-53-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

MD5 ff8f5c2670894f74456e534b34d6a8fe
SHA1 e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256 d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512 a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

memory/2380-62-0x0000024F3D9B0000-0x0000024F3D9F0000-memory.dmp

memory/4236-63-0x00007FFE6DE90000-0x00007FFE6E951000-memory.dmp

memory/3096-76-0x000000001C360000-0x000000001C462000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RustCheat.exe.log

MD5 4c8fa14eeeeda6fe76a08d14e08bf756
SHA1 30003b6798090ec74eb477bbed88e086f8552976
SHA256 7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5
SHA512 116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

memory/1104-84-0x00000213AE110000-0x00000213AE132000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lnobrlhq.sii.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\hostNet\rlqSVEj.vbe

MD5 92408a105526970fa12ef23225de61ae
SHA1 bf70e8e671c10bf85771b2b8dd4549766cf79582
SHA256 b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10
SHA512 56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

memory/1104-100-0x00000213AE0E0000-0x00000213AE0FE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50d3033f2bc3a3774c469d03e71a79a9
SHA1 22027b1d52085de99b3bffa276530fea5d961471
SHA256 2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147
SHA512 ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2d6baabb78161c2401e97f08de1b3b4e
SHA1 7bd22cebd5f310d8ac2ef8027caf6a0ec3bf709e
SHA256 1cea816e9897ec6852edb3671e5a93b05ea817bc969c4d47ee70f5573f95df42
SHA512 9f35b70cdb0159002143296f11dd22bec6e28836d36bb2ec0527692935cfc3f43df54871a9397bbdf2aaf6912943968310320433ca51a39e360d7227262c754c

C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat

MD5 02d21af8c5d6e8e0240a01325bcc4154
SHA1 ce58641040b6fe35d465a8a6932c277c7ff37ee5
SHA256 31498b70dce38481c709a35f22dbab0bde2be880abe88d6c90b7a96bf9f070b7
SHA512 758201561db3058e8d6d18c9a838fd49aa612fe0ef544479cc5776e4618ee4e90245b41b1bdb90257298c27fb6ee2589a262f8143816fa091be88a1ca977f7e8

C:\hostNet\bridgeblockportComBroker.exe

MD5 8ccc428a5a6f6139dc191d332f3de08b
SHA1 ae550a8fb67deeb1350020aa3fe8b0339db6bc71
SHA256 801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749
SHA512 1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

memory/5564-177-0x0000000000BC0000-0x0000000000D9E000-memory.dmp

memory/5724-179-0x000000001B410000-0x000000001B41E000-memory.dmp

memory/5724-181-0x000000001B5A0000-0x000000001B5BC000-memory.dmp

memory/5724-182-0x000000001B950000-0x000000001B9A0000-memory.dmp

memory/5724-184-0x000000001B5C0000-0x000000001B5D8000-memory.dmp

memory/5724-186-0x000000001B460000-0x000000001B468000-memory.dmp

memory/5724-188-0x000000001B580000-0x000000001B58C000-memory.dmp

memory/5636-257-0x0000000000D50000-0x0000000000D58000-memory.dmp

memory/1252-278-0x000002767D640000-0x000002767D742000-memory.dmp

memory/4848-288-0x0000016EA2ED0000-0x0000016EA2FD2000-memory.dmp

memory/5564-298-0x000002926AC00000-0x000002926AD02000-memory.dmp